express-jwt
Advanced tools
Comparing version 6.0.0 to 6.1.0
# Change Log | ||
All notable changes to this project will be documented in this file starting from version **v4.0.0**. | ||
This project adheres to [Semantic Versioning](http://semver.org/). | ||
## 6.0.0 - 2020-06-29 | ||
- Made algorithms mandatory ([304a1c5968aed7c4c520035426fc09142156669d](https://github.com/auth0/express-jwt/commit/304a1c5968aed7c4c520035426fc09142156669d)) | ||
## 5.3.3 - 2020-04-27 | ||
- Improvements to documentation | ||
## 5.3.2 - 2020-04-27 | ||
- Updated build to run on Node 8, 10 and 12 [178928266c3cf2fed3f9e013722cc8d29d4672ba](https://github.com/auth0/express-jwt/commit/178928266c3cf2fed3f9e013722cc8d29d4672ba) | ||
- Updated JSON web token dependency [11f3ac49736f37c5b74cd67bde87c50fdca19868](https://github.com/auth0/express-jwt/commit/11f3ac49736f37c5b74cd67bde87c50fdca19868) | ||
## 5.3.0 - 2017-04-17 | ||
- Export unauthorized error [d662501f75b60e79f0e02e8df325a7960187af65](https://github.com/auth0/express-jwt/commit/d662501f75b60e79f0e02e8df325a7960187af65) | ||
- Updated JSON web token library [fcf97715a5a11cbf7b828a3fa953e4c644856706](https://github.com/auth0/express-jwt/commit/fcf97715a5a11cbf7b828a3fa953e4c644856706) | ||
- Added support for `resultProperty` [c2aa463f69fea5535dc14da86f8ea13436e72d04](https://github.com/auth0/express-jwt/commit/c2aa463f69fea5535dc14da86f8ea13436e72d04) | ||
## 5.2.0 - 2016-10-07 | ||
- Added changelog [34dd51dde3fd83182bd076d9a9378626d17152f2](https://github.com/auth0/express-jwt/commit/34dd51dde3fd83182bd076d9a9378626d17152f2) | ||
## 5.1.0 - 2016-10-04 | ||
@@ -8,0 +30,0 @@ |
{ | ||
"name": "express-jwt", | ||
"version": "6.0.0", | ||
"version": "6.1.0", | ||
"description": "JWT authentication middleware.", | ||
@@ -33,3 +33,3 @@ "keywords": [ | ||
"async": "^1.5.0", | ||
"express-unless": "^0.3.0", | ||
"express-unless": "^1.0.0", | ||
"jsonwebtoken": "^8.1.0", | ||
@@ -36,0 +36,0 @@ "lodash.set": "^4.0.0" |
@@ -21,3 +21,3 @@ # express-jwt | ||
app.get('/protected', | ||
jwt({ secret: 'shhhhhhared-secret' }), | ||
jwt({ secret: 'shhhhhhared-secret', algorithms: ['HS256'] }), | ||
function(req, res) { | ||
@@ -33,5 +33,18 @@ if (!req.user.admin) return res.sendStatus(401); | ||
### Required Parameters | ||
The `algorithms` parameter is required to prevent potential downgrade attacks when providing third party libraries as **secrets**. | ||
:warning: **Do not mix symmetric and asymmetric (ie HS256/RS256) algorithms**: Mixing algorithms without further validation can potentially result in downgrade vulnerabilities. | ||
```javascript | ||
jwt({ | ||
secret: 'shhhhhhared-secret', | ||
algorithms: ['HS256'] | ||
//algorithms: ['RS256'] | ||
}) | ||
``` | ||
### Additional Options | ||
You can specify audience and/or issuer as well: | ||
You can specify audience and/or issuer as well, which is highly recommended for security purposes: | ||
@@ -42,3 +55,4 @@ ```javascript | ||
audience: 'http://myapi/protected', | ||
issuer: 'http://issuer' | ||
issuer: 'http://issuer', | ||
algorithms: ['HS256'] | ||
}) | ||
@@ -52,3 +66,4 @@ ``` | ||
```javascript | ||
jwt({ secret: new Buffer('shhhhhhared-secret', 'base64') }) | ||
jwt({ secret: Buffer.from('shhhhhhared-secret', 'base64'), | ||
algorithms: ['RS256'] }) | ||
``` | ||
@@ -59,3 +74,3 @@ | ||
```javascript | ||
app.use(jwt({ secret: 'shhhhhhared-secret'}).unless({path: ['/token']})); | ||
app.use(jwt({ secret: 'shhhhhhared-secret', algorithms: ['HS256']}).unless({path: ['/token']})); | ||
``` | ||
@@ -71,3 +86,3 @@ | ||
var publicKey = fs.readFileSync('/path/to/public.pub'); | ||
jwt({ secret: publicKey }); | ||
jwt({ secret: publicKey, algorithms: ['RS256'] }); | ||
``` | ||
@@ -81,3 +96,3 @@ | ||
```javascript | ||
jwt({ secret: publicKey, requestProperty: 'auth' }); | ||
jwt({ secret: publicKey, algorithms: ['RS256'], requestProperty: 'auth' }); | ||
``` | ||
@@ -88,3 +103,3 @@ | ||
```javascript | ||
jwt({ secret: publicKey, resultProperty: 'locals.user' }); | ||
jwt({ secret: publicKey, algorithms: ['RS256'], resultProperty: 'locals.user' }); | ||
``` | ||
@@ -104,2 +119,3 @@ | ||
secret: 'hello world !', | ||
algorithms: ['HS256'], | ||
credentialsRequired: false, | ||
@@ -146,3 +162,3 @@ getToken: function fromHeaderOrQuerystring (req) { | ||
app.get('/protected', | ||
jwt({ secret: secretCallback }), | ||
jwt({ secret: secretCallback, algorithms: ['HS256'] }), | ||
function(req, res) { | ||
@@ -181,2 +197,3 @@ if (!req.user.admin) return res.sendStatus(401); | ||
secret: 'shhhhhhared-secret', | ||
algorithms: ['HS256'], | ||
isRevoked: isRevokedCallback | ||
@@ -208,2 +225,3 @@ }), | ||
secret: 'hello world !', | ||
algorithms: ['HS256'], | ||
credentialsRequired: false | ||
@@ -210,0 +228,0 @@ })); |
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
45615
245
+ Addedexpress-unless@1.0.0(transitive)
- Removedexpress-unless@0.3.1(transitive)
Updatedexpress-unless@^1.0.0